Forging of digital signatures by malware?

Discussion in 'other firewalls' started by Gullible Jones, May 26, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Hi, see what you make of these.


    Digital Certificates Not Always a Safety Guarantee http://blog.trendmicro.com/digital-certificates-not-always-a-safety-guarantee

    Fake SSL Certificates Seen Again http://blog.trendmicro.com/fake-ssl-certificates-seen-again

    PayPal Scam Site Using Legit SSL http://www.internetnews.com/ec-news/article.php/2232421

    New Research Suggests That Governments May Fake SSL Certificates http://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl

    April 15, 1999 Attacking Certificates with Computer Viruses http://www.schneier.com/crypto-gram-9904.html#certificates

    April 15, 2001 Fake Microsoft Certificates http://www.schneier.com/crypto-gram-0104.html

    phishers have begun to outfit their counterfeit sites with self-generated Secure Sockets Layer certificates http://abcnews.go.com/Technology/PCWorld/story?id=1351041

    Too Many Security Warnings Results in Complacency http://www.schneier.com/blog/archives/2009/08/too_many_securi_1.html

    Example of how fake sites target users of e-gold, E-Bullion, Pecunix, and Liberty Reserve http://blog.e-gold.com/2007/09/sophisticated-f.html

    Probably you want to import a "fake" SSL cert in JRE's trustcacerts for avoiding not-a-valid-certificate issues. http://stackoverflow.com/questions/684081/importing-ssl-certificate-into-eclipse

    *

    Here's an app for FF that might be useful ;)

    SSL Blacklist 4.0 http://codefromthe70s.org/sslblacklist.aspx
     
  2. Those are different, they involve SSL certificates for websites.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @Gullible Jones

    Brain fart :D

    My Head Hurts - Monty Python -http://www.youtube.com/watch?v=rTens4i32b0-
     
  4. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    I looked through the list of webpages you referenced, and I failed to see any instances described in which an adversary successfully forged a digital certificate (i.e., used a certificate from a trusted source to successfully sign malware and thereby misrepresent the actual software publisher).

    Am I missing something?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.